[LINK] Novarg / Mydoom / Shimg worm update

[Chirgwin, Richard]

Tom wrote:
[big snip]

> 4. Home users who leave their computer connected to the 
> Internet for any 
> length of time should install personal firewall software.

Yes, but there's a hugely important caveat. A personal firewall is
non-trivial; not all personal firewalls are the same; and they're not
particularly friendly to the non-tech user. A personal firewall should
default to "allow nothing" and force users to enable ports as needed; but
too many default to "allow most things" and demand the user configure
"disallowed" ports and protocols one-by-one. This is demanding and
confusing; that's why security people come at a premium.

It's also very hard for the common user to decide the meaning of a firewall
alert. What does this mean?:
"TCP connection to 203.166.18.222:80 was blocked by rule (rulename)"

To us - some of us - it's clear. To others, not. At the consumer level, I am
concerned that the rule "a misconfigured firewall is worse than no
firewall". 

Look at the things that need to be decided for one firewall rule:
- what protocol does the rule apply to? (TCP, UDP, both, ICMP, something
else?)
- which direction (incoming/outgoing)?
- what kind of port for the local machine? Which local application?
- what remote address (one address - some - all)? Remote port number/s?

All of these have a considerable burden of background knowledge before they
make sense; for example, for (say) mail you have to know that your mailer
will use SMTP, that you need more than one port open to make connection,
that you should only need to support one remote endpoint to the ISP's
server, but that sometimes the firewall will also need to allow a DNS lookup
to find the mail server, and that this has nothing to do with the ports
needed for SMTP...

I know. Eat the greens, they're good for us...

RC